Exchange Hybrid Wizard - what will happen if certificate has not all names in it ?

IT Guy 106 Reputation points
2020-10-12T09:57:40.157+00:00

Dear community.

We will configure Exchange Hybrid Wizard in the next days with the option "centralized mail flow"
We have here about 10 accepted domains in our Exchange Server.
I am not sure if we need to buy an new certificate so i would like to try the existing certificate.

What can go wrong if there is a SAN Name missing in our existing certifcate ?
Can i just buy a new certificate and install that on our exchange in the following days or will this lead to an mail flow interruption as long as the Hybrid Wizard is not successfully completed ?

Thank you for your feedback!

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,981 questions
0 comments
Accepted answer
  1. Andy David - MVP 144.4K Reputation points MVP
    2020-10-12T16:38:31.267+00:00

    A lot to unpack there, so let me walk through it:

    1. The shared SMTP space can be any of those domains. You don't have to account for all of them on the cert, just one of them that is an accepted domain in Office 365 and on-prem.
      Mail will flow for all the accepted domains when they are added to the hybrid connector address space. You just to set it for one domain for the cert requirements - so the connectors can use forced TLS and verify the sending servers in the hybrid config - thats all.
    2. Autodiscover is where you need the primary domains accounted for. Your existing on-prem certificate that clients use should already have these I assume. You can use srv records or wildcards, but typically SAN certs are used:
      Example: autodiscover.domaina.com, autodiscover.domainB.com etc.... If those are all set on the cert, then you are good. You will need to keep pointing autodiscover in DNS to your internal Exchange Servers as it is now until all the mailboxes are moved to Office 365.
    3. If you buy another domain and add is as accepted, you wont have to make any changes to any existing certs as long as the new domain is not set as a primary SMTP address for mailboxes. If so, then you would need to generate a new cert with autodiscover.newdomain.com ( or use SRV records) - assuming you still had those mailboxes on-prem. You wouldnt need to add any new domain to the cert for SMTP mail flow in hybrid.
      Are you sure you have an Edge Role Server? It typically wont be part of the domain and in a DMZ. It wont be part of the internal Exchange org in the AD Forest.

    More on SRV records:
    https://supertekboy.com/2016/05/17/using-srv-records-for-autodiscover/

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. IT Guy 106 Reputation points
    2020-10-12T20:42:15.247+00:00

    Just to put it all together, i need the following data in my certificate:

    Primary shared SMTP domain for ONE accepted domain: domainA.com
    Autodiscover for ALL Primary SMTP Domains: autodiscover.domainA.com autodiscover.domainB.com, ....C, ......D, ....E
    Transport: edge.domainA.com > hostname.domainA.com

    Can you please clarify this "You wouldnt need to add any new domain to the cert for SMTP mail flow in hybrid."
    Does this mean: When i successfully complete the Hybrid Wizard and after that i need to add a new domain, then i do not have to change my certificate ?

    Thank you again for your excellent help Andy.
    I wish such knowledge would be easier to find but there are so many things to consider. You start with one website, 30 minutes later you habe 15 pages open in the browser. The pages from microsoft are not hard to read, the problem is always.....does the described scenario match with my situation ? and will these changes interfere with something else in my domain.

    1 person found this answer helpful.
  2. Andy David - MVP 144.4K Reputation points MVP
    2020-10-12T11:46:10.41+00:00

    Which SAN name is missing? One of the accepted domains that is set as primary SMTP address for some users or some other name?
    For mail flow, it wont matter as long as the connector is configured using any existing subject name.

    https://video2.skills-academy.com/en-us/exchange/certificate-requirements

    31693-image.png

    0 comments
  3. IT Guy 106 Reputation points
    2020-10-12T16:13:29.483+00:00

    Hello Andy

    Thank you for your feedback. Can you please help me with these questions, that would be awesome and help me a lot!

    Lets say i have 5 domains. DomainA, DomainB, C, D, E.
    Do i need these three entries.....like domainA.com, autodiscover.domainA.com and edge.domanA.com for all of the 5 domains?
    (for every domain i have users who have one of these five domains as the SMTP entry in their mailbox settings, this means that this is their primary SMTP address, so i need that specific domain also as an "Primary shared SMTP domain" name in the certficate, right ?

    What will happen when my boss says: "we bought DomainX.com, please add it to the accepted mail domains", will i need to get a new certificate again or is there an other way than buying a new certificate ? Would be great when i could manage these certificate name stuff maybe on the dns or somewhere else.

    Can you explain me what could be my Edge Transport Server ? I am 99.9% sure this is our exchange himself but i need to write that down with screenshots for a written document.
    Where can i find that information ? When i enter "Get-TransportServer" in the Exchange Management Shell" the output is the Exchange hostname. Thats it ?

    thank you very very much for your help !

    0 comments
  4. Joyce Shen - MSFT 16,646 Reputation points
    2020-10-13T05:26:53.197+00:00

    Hi @IT Guy , do suggestions above help? You could accept the helpful reply above as answer.

    In addition, you could also refer to below links to get more information related to your question:

    Using the Autodiscover Domain feature to enable multiple SMTP domains in your hybrid configuration

    and Exchange Queue & A: Handling hybrid environments

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in [our documentation][3] to enable e-mail notifications if you want to receive the related email notification for this thread.
     

    [3]: https://video2.skills-academy.com/en-us/previous-versions/technet-magazine/dn249970(v=msdn.10)?redirectedfrom=MSDN 

    0 comments